home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

default.nix (1762B)


      1 { config, lib, pkgs, ... }:
      2 
      3 let
      4   common = {
      5     sopsFile = ../../../secrets/secrets.yaml;
      6     mode = "444";
      7     owner = "root";
      8     group = "root";
      9   };
     10 in
     11 {
     12   imports = [
     13     ./binfmt.nix
     14     ./boot.nix
     15     ./config.nix
     16     ./i18n.nix
     17     ./nix.nix
     18     ./users.nix
     19   ];
     20 
     21   environment.systemPackages = with pkgs; [
     22     cachix
     23     file
     24     htop
     25     iotop
     26     lsof
     27     netcat
     28     psmisc
     29     pv
     30     tree
     31     vim
     32     wget
     33   ];
     34   # FIXME fix tmpOnTmpfs
     35   # systemd.additionalUpstreamSystemUnits = [ "tmp.mount" ];
     36 
     37   security.sudo = {
     38     extraConfig = ''
     39       Defaults env_keep += SSH_AUTH_SOCK
     40     '';
     41   };
     42 
     43   sops.secrets."minica.pem" = {
     44     inherit (common) mode owner group sopsFile;
     45     path = "/etc/ssl/certs/minica.pem";
     46   };
     47   sops.secrets."redhat.pem" = {
     48     inherit (common) mode owner group sopsFile;
     49     path = "/etc/ssl/certs/redhat.pem";
     50   };
     51   # security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" "/etc/ssl/certs/minica.pem" ]; 
     52 
     53   # Only keep the last 500MiB of systemd journal.
     54   services.journald.extraConfig = "SystemMaxUse=500M";
     55 
     56   # Clear out /tmp after a fortnight and give all normal users a ~/tmp
     57   # cleaned out weekly.
     58   systemd.tmpfiles.rules = [ "d /tmp 1777 root root 14d" ] ++
     59     (
     60       let mkTmpDir = n: u: "d ${u.home}/tmp 0700 ${n} ${u.group} 7d";
     61       in lib.mapAttrsToList mkTmpDir (lib.filterAttrs (_: u: u.isNormalUser) config.users.extraUsers)
     62     );
     63 
     64   systemd.services."status-email-root@" = {
     65     description = "status email for %i to vincent";
     66     serviceConfig = {
     67       Type = "oneshot";
     68       ExecStart = ''
     69         ${pkgs.my.systemd-email}/bin/systemd-email vincent@demeester.fr %i
     70       '';
     71       User = "root";
     72       Environment = "PATH=/run/current-system/sw/bin";
     73     };
     74   };
     75 }